Microsoft warns of giant patch next week

Microsoft warns of giant patch next week

If the company follows through on its plans -- sometimes Microsoft ditches an update at the last minute -- next week's Patch Tuesday will be the largest since October 2008.

"We're back to a normal load," said Andrew Storms, director of security operations at nCircle Network Security. "Some may think of it as pretty big, but really, for anyone who's dealt with Patch Tuesday for the last five years, it's what we should be expecting."

Last month, Microsoft issued just one security update, a 14-patch fix for PowerPoint.

Of the 10 updates Microsoft announced in its monthly advance notification, six will affect Windows, and one each will patch problems in Internet Explorer (IE), Word, Excel and Microsoft Office. Six of the 10 were marked "critical," Microsoft's highest threat ranking, while three were judged "moderate" and one as "important."

"The red flag is going to be [the] IE [update]." said Storms. "It's critical, it's on all versions [of Windows], and it's even critical in Vista for IE7 and IE8."

IE8, which was released in March, is Microsoft's most secure browser yet. Tuesday's update will provide the first-ever production patches for IE8.

Storms also pointed out that it looks like Microsoft won't protect Mac users this month. "We don't have the PowerPoint for the Mac patches," he said after reviewing the advance notice. Last month, Microsoft took the unusual step of patching the Windows versions of PowerPoint, but not the Mac editions, saying that it didn't want to postpone the update to await Mac fixes.

Attackers had been exploiting the PowerPoint bug in Windows since at least early April. "[But] none of the exploit samples we have analysed will reliably exploit the Mac version, so we didn't want to hold the Windows security update while we wait for Mac packages," Jonathan Ness, an engineer at the Microsoft Security Response Centre, explained last month.

Some criticised Microsoft's decision. Swa Frantzen, an analyst at SANS Institute's Internet Storm Centre (ISC), said Microsoft was breaking its own rules about "responsible disclosure" by letting the Mac patches slide. "We all know from past experience [that] the reverse engineering of patches back into exploits starts at the time -- if not before -- the patches are released," said Frantzen four weeks ago. "So in the end, Microsoft just released what hackers need to attack."

No responsibility can be taken for the content of external Internet sites.